mirror of
https://github.com/MariaDB/server.git
synced 2025-01-17 20:42:30 +01:00
d4c35fb21b
The main goal of this patch is to prevent MariaDB's native_password_plugin
from "parsing" the hex (or non hex) authentication_string. Due to how the
current code is written, we convert any string (within native_password_get_salt)
that has the appropriate length to a "binary" representation, that can
potentially match a real password.
More specifically,
"*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE" produces the same results as
"*d13c3c78dafa52d9bce09bdd1adcb7befced1ebe".
The length indicator is the main indicator of an invalid password. We use
use same trick with "invalid" to change its internal representation.
The "parsing" mentioned is by get_salt_from_password down to char_val()
and because if where it is, its effectively a static plugin API that cannot
change.
In supporting these, we support the SHOW CREATE USER from MySQL may have the
hashed password string: *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE.
Obviously this isn't a hash because it contains non-hex characters.
After this patch we do however recognise the pattern;
[any char, notionally *]{40 chars not all are hex}
as a pattern for an invalid password. This was determined to be the general
pattern that MySQL used.
Reviewers: Sergei G, Vicentiu
173 lines
5.6 KiB
Text
173 lines
5.6 KiB
Text
#
|
|
# MDEV-9835 Valid password is not working after server restart.
|
|
#
|
|
# Various combinations of SET PASSWORD and not-empty mysql.user.plugin field
|
|
#
|
|
--source include/not_embedded.inc
|
|
|
|
--enable_connect_log
|
|
|
|
set global secure_auth=0;
|
|
|
|
# The hash (old and new) is for 'test'
|
|
create user natauth@localhost identified via 'mysql_native_password' using '*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29';
|
|
|
|
create user invalidauth@localhost identified via 'mysql_native_password' using 'invalid';
|
|
|
|
create user newpass@localhost identified by password '*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29';
|
|
|
|
create user invalidpass@localhost identified by password 'invalid';
|
|
|
|
create user newpassnat@localhost identified via 'mysql_native_password';
|
|
set password for newpassnat@localhost = '*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29';
|
|
|
|
create user invalidpassnat@localhost identified by password 'invalid';
|
|
set password for invalidpassnat@localhost = 'invalid';
|
|
|
|
create user oldauth@localhost identified with 'mysql_old_password' using '378b243e220ca493';
|
|
|
|
create user oldpass@localhost identified by password '378b243e220ca493';
|
|
|
|
create user oldpassold@localhost identified with 'mysql_old_password';
|
|
set password for oldpassold@localhost = '378b243e220ca493';
|
|
|
|
create user invalidmysql57auth@localhost identified via 'mysql_native_password' using '*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE';
|
|
|
|
--sorted_result
|
|
select user, host, password, plugin, authentication_string from mysql.user where user != 'root';
|
|
|
|
--connect(con,localhost,natauth,test,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,newpass,test,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,newpassnat,test,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,oldauth,test,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,oldpass,test,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,oldpassold,test,)
|
|
select current_user();
|
|
--disconnect con
|
|
|
|
--connection default
|
|
|
|
flush privileges;
|
|
|
|
--connect(con,localhost,natauth,test,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,newpass,test,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,newpassnat,test,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,oldauth,test,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,oldpass,test,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,oldpassold,test,)
|
|
select current_user();
|
|
--disconnect con
|
|
|
|
--connection default
|
|
|
|
# changing to the NEW password hash
|
|
set password for natauth@localhost = PASSWORD('test2');
|
|
set password for newpass@localhost = PASSWORD('test2');
|
|
set password for newpassnat@localhost = PASSWORD('test2');
|
|
set password for oldauth@localhost = PASSWORD('test2');
|
|
set password for oldpass@localhost = PASSWORD('test2');
|
|
set password for oldpassold@localhost = PASSWORD('test2');
|
|
|
|
--sorted_result
|
|
select user, host, password, plugin, authentication_string from mysql.user where user != 'root';
|
|
|
|
--connect(con,localhost,natauth,test2,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,newpass,test2,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,newpassnat,test2,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,oldauth,test2,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,oldpass,test2,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,oldpassold,test2,)
|
|
select current_user();
|
|
--disconnect con
|
|
|
|
--connection default
|
|
|
|
flush privileges;
|
|
|
|
--connect(con,localhost,natauth,test2,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,newpass,test2,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,newpassnat,test2,)
|
|
select current_user();
|
|
--disconnect con
|
|
|
|
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
|
|
--error ER_ACCESS_DENIED_ERROR
|
|
--connect(con,localhost,invalidauth,invalid,)
|
|
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
|
|
--error ER_ACCESS_DENIED_ERROR
|
|
--connect(con,localhost,invalidpass,invalid,)
|
|
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
|
|
--error ER_ACCESS_DENIED_ERROR
|
|
--connect(con,localhost,invalidpassnat,invalid,)
|
|
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
|
|
--error ER_ACCESS_DENIED_ERROR
|
|
--connect(con,localhost,invalidmysql57auth,invalid,)
|
|
|
|
--connect(con,localhost,oldauth,test2,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,oldpass,test2,)
|
|
select current_user();
|
|
--disconnect con
|
|
--connect(con,localhost,oldpassold,test2,)
|
|
select current_user();
|
|
--disconnect con
|
|
|
|
--connection default
|
|
drop user natauth@localhost, newpass@localhost, newpassnat@localhost;
|
|
drop user invalidauth@localhost, invalidpass@localhost, invalidpassnat@localhost,invalidmysql57auth@localhost;
|
|
drop user oldauth@localhost, oldpass@localhost, oldpassold@localhost;
|
|
set global secure_auth=default;
|
|
|
|
#
|
|
# MDEV-16238 root/localhost authn prioritizes authentication_string over Password
|
|
#
|
|
--source include/switch_to_mysql_user.inc
|
|
create user foo@localhost identified with mysql_native_password;
|
|
update mysql.user set authentication_string=password('foo'), plugin='mysql_native_password' where user='foo' and host='localhost';
|
|
set password for 'foo'@'localhost' = password('bar');
|
|
flush privileges;
|
|
--connect foo, localhost, foo, bar
|
|
select user(), current_user();
|
|
show grants;
|
|
--disconnect foo
|
|
--connection default
|
|
select user,host,password,plugin,authentication_string from mysql.user where user='foo';
|
|
set password for 'foo'@'localhost' = '';
|
|
select user,host,password,plugin,authentication_string from mysql.user where user='foo';
|
|
drop user foo@localhost;
|
|
--source include/switch_to_mysql_global_priv.inc
|